Horde Input Validation Hole in '/services/go.php' Lets Remote Users Traverse the Directory
|
|
SecurityTracker Alert ID: 1015771
|
|
SecurityTracker URL: http://securitytracker.com/id?1015771
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 15 2006
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 3.09 and prior versions
|
Description: A vulnerability was reported in Horde. A remote user can view files on the target system.
The '/services/go.php' file does not properly validate user-supplied input in the 'url' parameter. A remote user can supply a specially
crafted parameter value containing a NULL character to view arbitrary files on the target system with the privileges of the target
web service.
The vendor was notified on March 4, 2006.
Paul Craig of Security-Assessment.com discovered this vulnerability.
CodeScan
Labs disclosed this vulnerability.
|
Impact: A remote user can view files on the target system with the privileges of the target web service.
|
Solution: The vendor has issued a fixed version (3.1), available at:
ftp://ftp.horde.org/pub/horde/horde-3.1.tar.gz
|
Vendor URL: www.horde.org/horde/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "CodeScan Labs" <advisories@codescan.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 15 Mar 2006 13:53:05 +1300
From: "CodeScan Labs" <advisories@codescan.com>
Subject: [Full-disclosure] CodeScan Advisory: Unauthenticated Arbitrary File
|
This is a multi-part message in MIME format...
------------=_1142383956-809-312
Content-Class: urn:content-classes:message
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
========================================================================
= CodeScan Advisory, codescan.com <advisories@codescan.com>
=
= Unauthenticated Arbitrary File Read in Horde v3.09 and prior
= Vendor Website:
= http://www.horde.org
= Affected Version:
= Versions prior to and including v3.09
= Researched By
= Paul Craig <paul.craig@security-assessment.com>
= Public disclosure on March 15th, 2006
========================================================================
== Overview ==
CodeScan Labs (www.codescan.com), has recently released a new source
code scanning tool, CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing
execution paths and tracking the flow of user supplied input.
During the beta testing of CodeScan PHP, Horde v3.09 was selected as
one of the test applications.
This advisory is the result of research into the security of Horde, based
on the report generated by the CodeScan tool.
CodeScan Labs has also worked with the vendor of horde to ensure future
versions of the product are secure.
== Affected Versions ==
Although all versions of horde v3.09 and prior are vulnerable to this
attack, many distrubitions of PHP are not vulnerable by default.
This vulnerability was tested and exploited on a default Fedora Core 4
install, although several horde developers were unable to reproduce this
vulnerability on Debian based servers.
== Vulnerability Details ==
In the file /services/go.php, an insecure call is made to the readfile()
function.
This can be seen in the code below.
--------------------------------------------------------------
$_GET['url'] = trim($_GET['url']);
if (get_magic_quotes_gpc()) {
$url = @parse_url(trim(stripslashes($_GET['url'])));
} else {
$url = @parse_url(trim($_GET['url']));
if (empty($url) || empty($url['host'])) {
exit;
if ((!empty($_SERVER['SERVER_NAME']) &&
$_SERVER['SERVER_NAME'] == $url['host']) ||
(!empty($_SERVER['HTTP_HOST']) &&
$_SERVER['HTTP_HOST'] == $url['host'])) {
.........
// Pass through image content if requested.
if (!empty($_GET['untrusted'])) {
readfile($_GET['url']);
exit;
--------------------------------------------------------------
Calls to parse_url attempt to sanitise the input through
the requirement of an http:// type string.
Embedding a NULL character within the URL variable enables
an attacker to control the variable passed to readfile()
leading to the reading of any file on the file system with
the privileges of the web server.
== Solutions ==
CodeScan Labs has been in contact with Horde and a new version of
the software has been released to address the discovered
vulnerability.
Users are advised to upgrade to version 3.1
ftp://ftp.horde.org/pub/horde/horde-3.1.tar.gz
== Credit ==
Discovered and advised to Horde 4th March, 2006 by Paul Craig of
Security-Assessment.com
== About CodeScan Labs Ltd ==
CodeScan Labs is specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities. The CodeScan product is currently available for ASP
and PHP(Beta)
== About Security-Assessment.com ==
Security-Assessment.com is Australasia's only pure play security
company, specialising in security audit, assurance and advice services.
Assisting large and medium size Enterprises who require true independent
measurement of their security compliance at all levels.
e-mail protected and scanned by Bizo Email Filter - powered by Advascan
------------=_1142383956-809-312
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------------=_1142383956-809-312--
|
|
